Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firejail: add nixos module #43511

Merged
merged 1 commit into from Jul 14, 2018
Merged

firejail: add nixos module #43511

merged 1 commit into from Jul 14, 2018

Conversation

peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Jul 14, 2018
edited

Motivation for this change

We need to set up a wrapper for it to work.

Cc: @coretemp

Fixes #43488

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: firejail

Partial log (click to expand)

these paths will be fetched (0.30 MiB download, 1.54 MiB unpacked):
  /nix/store/kpgla8ckyly4c8490cby1lvv3fyaq8pj-firejail-0.9.54
copying path '/nix/store/kpgla8ckyly4c8490cby1lvv3fyaq8pj-firejail-0.9.54' from 'https://cache.nixos.org'...
/nix/store/kpgla8ckyly4c8490cby1lvv3fyaq8pj-firejail-0.9.54

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: firejail

Partial log (click to expand)

these paths will be fetched (0.27 MiB download, 1.53 MiB unpacked):
  /nix/store/96k9hkya2ri5xgw52ryrdwl547bvkgki-firejail-0.9.54
copying path '/nix/store/96k9hkya2ri5xgw52ryrdwl547bvkgki-firejail-0.9.54' from 'https://cache.nixos.org'...
/nix/store/96k9hkya2ri5xgw52ryrdwl547bvkgki-firejail-0.9.54

@adisbladis
Copy link
Member

It would also be useful with a configuration option to wrap programs in $PATH with firejail.

I'm thinking something like:

programs.firejail = {
  enable = true;
  wrapBins = {
    mpv = "${mpv}/bin/mpv";
  };
};

That would be a really easy way for NixOS users to get MAC-ish behaviour for certain software.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: firejail

Partial log (click to expand)

these paths will be fetched (0.30 MiB download, 1.54 MiB unpacked):
  /nix/store/kpgla8ckyly4c8490cby1lvv3fyaq8pj-firejail-0.9.54
fetching path ‘/nix/store/kpgla8ckyly4c8490cby1lvv3fyaq8pj-firejail-0.9.54’...

*** Downloading ‘https://nix-cache.s3.amazonaws.com/nar/0k5mcs84f0098iagc7cl9p60cn8l6j866xcm7pmhfdx433x2jf00.nar.xz’ (signed by ‘cache.nixos.org-1’) to ‘/nix/store/kpgla8ckyly4c8490cby1lvv3fyaq8pj-firejail-0.9.54’...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  309k  100  309k    0     0   309k      0  0:00:01 --:--:--  0:00:01  936k

/nix/store/kpgla8ckyly4c8490cby1lvv3fyaq8pj-firejail-0.9.54

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: firejail

Partial log (click to expand)

/nix/store/96k9hkya2ri5xgw52ryrdwl547bvkgki-firejail-0.9.54

@adisbladis
Copy link
Member

@peterhoeg Fantastic! Also needs a changelog entry for 18.09. :)

@peterhoeg
Copy link
Member Author

It would also be useful with a configuration option to wrap programs in $PATH with firejail.

Good idea - done.

@peterhoeg
firejail: add nixos module
65eb3a5 
Also add support for wrapping binaries with firejail.
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: firejail

Partial log (click to expand)

/nix/store/96k9hkya2ri5xgw52ryrdwl547bvkgki-firejail-0.9.54

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: firejail

Partial log (click to expand)

/nix/store/kpgla8ckyly4c8490cby1lvv3fyaq8pj-firejail-0.9.54

@peterhoeg peterhoeg merged commit 6e3ee65 into NixOS:master Jul 14, 2018
@peterhoeg peterhoeg deleted the m/firejail branch July 14, 2018 13:04
@peterhoeg peterhoeg restored the m/firejail branch July 14, 2018 13:43
@peterhoeg peterhoeg deleted the m/firejail branch July 14, 2018 14:45
@aanderse
Copy link
Member

I'm having an issue with this so far. I have created a profile for vlc under ~/.config/firejail which should make everything except the ~/Downloads folder invisible:
whitelist ~/Downloads
If I try to browse the file system with vlc I can see everything in the File Open dialog, but if I click on anything outside of ~/Downloads I get an error that it doesn't exist.

So it appears that vlc is properly jailed, but the file open dialog is not...

Any thoughts @peterhoeg ?

@peterhoeg
Copy link
Member Author

Not offhand, no.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adisbladis adisbladis adisbladis approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: changelog 8.has: documentation 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@peterhoeg @GrahamcOfBorg @adisbladis @aanderse